Subscribe for only $15 to access all of our content

#91: Filtering Parameters in Phoenix

Phoenix 1.4


Currently when a user registers for our site they enter some information about themselves, like their name, date of birth, and secret phrase they can use in case they get locked out of their account, in additional to their email and password. If we look at the logs for when a user is created.

  Parameters: %{"registration" => %{"dob" => "01/01/1990", "email" => "hello@elixircasts.io", "encrypted_password" => "[FILTERED]", "secret_phrase" => "top secret", "username" => "alekx"}}

We see that by default Phoenix filters out the password. However, we still have some sensitive information like the date of birth and the secret phrase included. Phoenix makes it easy to filter out sensitive data like this, so let’s update our application to do just that.

We’ll open our config.exs and Phoenix gives us two ways to configure what parameters we filter. The first way is to select what parameters we want to filter - this allows any others not specified to still appear in our logs. To do that we’ll add config :phoenix with the :filter_parameters option and then a list of the parameters we want to include, let’s filter out the “dob” and the “secret_phrase”, and since we’re including it here we’ll need to remember to include “password” in our list if we want to continue to have it filtered.

config/config.exs

...
config :phoenix, :filter_parameters, ["dob", "secret_phrase", "password"]
...

We’ll need to restart server since we changed the config.exs.

$ mix phx.server
...

Then if we create another user and look at the logs again.

  Parameters: %{ ... "registration" => %{"dob" => "[FILTERED]", "email" => "user2@elixircasts.io", "encrypted_password" => "[FILTERED]", "secret_phrase" => "[FILTERED]", "username" => "bill"}}

We see that the parameters we specified: dob, secret_phrase, and password are being filtered out.

Now let’s look at the other way to filter parameters. We’ll go back to our config.exs and instead of specifying what parameters we want filtered here, we can do the opposite and specify the parameters we want to show.

Let’s change our filter_parameters option and instead of a list we’ll use a two element tuple, where the first element is the atom :keep and the second is a list of the parameters we don’t want filtered in our logs. All parameters not specified here will be filtered.

config/config.exs

...
config :phoenix, :filter_parameters, {:keep, ["username"]}
...

Then we’ll restart the server again.

$ mix phx.server
...

And if we create another user and go to our logs, we see only the “username” is not filtered in our params.

  Parameters: %{ ... "registration" => %{"dob" => "[FILTERED]", "email" => "[FILTERED]", "encrypted_password" => "[FILTERED]", "secret_phrase" => "[FILTERED]", "username" => "Jill"}}

More Episodes

#106: Intro to Structs

In this episode we’ll get an introduction to Elixir structs. Great for anyone just getting started with Elixir.

Watch episode

#105: How to Create Nested Phoenix Templates

By default, Phoenix doesn’t precompile templates in nested directories. In this episode we’ll see how we can update Phoenix to let us use templates in nested directories.

Watch episode
Alchemist's Edition

#104: Generating RSS Feeds with Elixir

In this episode we’ll take an existing Elixir Phoenix application and build an Atom feed for it. To build the feed we’ll use the Atomex package.

Watch episode